Welcome to the October product update! Our Oct’24 releases have included a range of enhancements and new features across Veza’s products, including:
- Access Intelligence: New support for managing risk assignees, improved dashboard actionability, and Access Hub enhancements for all users.
- Access Reviews: Historic decision visualization, risk scores and resource usage attributes, scheduled review exports, and predefined approval and rejection notes.
- Lifecycle Management: Oracle HCM as a source of identity, new actions for ServiceNow, dry run capabilities for previewing the results of Lifecycle Management policies, support for webhooks in Actions, and options for triggering workflows based on an identity’s existing entitlements.
- Veza Integrations: New integrations for Cisco Duo, Device42, and enhancements for Privacera, Snowflake, SharePoint Online, PostgreSQL, and MySQL.
Please read on for more details about specific changes in each product area, and contact your Veza representative with any questions or valued feedback.
Access Intelligence
- Risk Assignees: Organizations can now assign users to specific risks detected in their environment, ensuring that the right individuals own those risks and mitigation tasks. You can assign an owner to any risk on the Access Risks page by expanding the Actions menu and choosing Add Risk Assignee. This is the first of planned risk lifecycle enhancements for improved risk remediation and tracking.
- Access Hub (Early Access):
The Access Hub > My Access page now provides a streamlined interface for all users to review their current access to apps and resources. This enhancement extends visibility beyond managers and access review participants to include all users. - Actionability Improvements for Dashboard Tiles & Query Details: You can now schedule automated email exports of query results directly from dashboard tiles and the query details view. The query details view also now supports link sharing, simplified change-based alert creation, rule configuration, and the option to assign resource owners in bulk.
Access Visibility
- Background Queries: You can now configure the time before queries move to background processing, with support for up to 5 concurrent background queries. While a background query is running, users can navigate away from Query Builder, and will receive a notification when results are ready on the Background Queries page. Note that query results are persisted for a limited time, which can be adjusted by your support team if required.
- Query Exports: Saved query exports now include natural language explanations of results and the Last Activity At timestamp.
Access Reviews
- Review History: The reviewer interface can now provide at-a-glance insight into how access has changed since the last review. Visual indicators now show whether a row represents added access, modified access, removed access, or access that remains unchanged since the last completed review based on the same configuration (now available in Early Access).
- Review Administration:
The Access Reviews page now supports additional actions:- Completed and expired reviews can now be exported via the Export as CSV action.
- Operators can use the View Configuration Details action to inspect the review settings, scope, and other reviews for that configuration.
- Scheduled Review Exports: Administrators can now schedule recurring exports on the Access Reviews page. Administrators can configure the frequency and email recipient with the Export All > Edit Schedule option. The recipient will receive a link to log in and download a CSV containing the list of all reviews, including full metadata such as start and publish time, due date, and completion status. The Access Reviews > Export All menu also now supports exporting all expired certification details.
- Predefined Approve/Reject Notes: When adding notes with decisions, reviewers can now pick predefined notes from a dropdown, in addition to using the text box to add a custom note. Predefined notes can be configured for all reviews or for individual configurations with Global Settings APIs.
- UX Enhancements: Increased the maximum number of rows displayed per page in the reviewer interface (up to 500, default 50 rows). You can also now skip to the first or last page of certification results.
- Export Permissions: Administrators can now control whether reviewers can export their assigned rows (configured with Global Settings APIs).
- Risk and Access Monitoring for Advanced Access Reviews:
Reviewers can now sort and filter by optional Risk Level and Last Activity With Resource At columns in the reviewer interface. Exported reviews now contain entity risk levels and resource usage details for queries that support Activity Monitoring.
Lifecycle Management
- Identity Details: Administrators can now review Access Profile details for individual employees from the Identities details view.
- Identity Sources: Oracle Human Capital Management (HCM) Cloud can serve as a source of identity for lifecycle management operations.
- Orchestration Actions: You can now configure webhook notifications using existing configurations on the Integrations > Orchestration Actions page or by creating a new configuration within a policy or action.
- Open Authorization API: In-platform OAA integrations now have a configuration option to enable as a source of identity for Lifecycle Management policies.
- Policy Conditions: Condition strings now support filtering based on an identity’s current relationships (such as group memberships or role assignments). This enables more precise targeting of actions based on an identity’s existing entitlements.
- Policies Dry Run: Administrators can now use the Dry Run feature to preview how an existing Lifecycle Management policy would apply to an existing identity. This helps validate workflow configurations and test how a policy will affect a specific identity and/or combination of attributes before implementing it in production.
- Workflow Actions: Added support for writing Active Directory user profile parameters (or other source identity attributes) to ServiceNow Staging tables.
Veza Integrations
- Cisco Duo: New integration for discovering users, roles, and access credentials.
- Device42: New integration for discovering Device42 users and groups.
- Ivanti: New integration for the Ivanti Neurons HRIS platform, with support for using employee metadata as a source of truth for Lifecycle Management.
- Privacera: Enhanced integration with support for Resource Policies, Hive Databases, and Hive Tables in Privacera Cloud.
- SharePoint Online
- SharePoint Subsites: The Azure integration can now discover Sharepoint Subsites, including support for recursively retrieving child subsites up to any level. Administrators can now configure limits on which SharePoint sites are discovered.
- SharePoint Role Effective Permissions: Added support for SharePoint Role Definitions, Role Assignments, and their effective permissions (requires Sites.FullControl.All SharePoint API permission for the Azure integration)
- Snowflake
- Private Links: The integration can now be configured to use AWS or Azure private cloud links.
- Snowflake Roles: Added support for role-to-role relationships involving both USAGE and OWNERSHIP grant types
- Performance Enhancements: When Audit Log Extraction is enabled for a Snowflake integration, Veza now only connects to the database when there are changes, and only extracts metadata that has been updated since the last sync. This will typically result in fewer and faster extractions and reduced warehouse usage overall.
- Database Connectivity
- PostgreSQL and MySQL: These integrations can now fetch credentials from AWS Secrets Manager (instead of configuring an integration username and password).
- PostgreSQL: Added support for PostgreSQL system-level permissions and new out-of-the-box assessment queries.
- SQL Server: Added support for integrations using dynamic ports.
- Coupa: Configured Permissions now have a Description attribute extracted from an imported roles report.
- Github: Integration details now show Personal Access Token extraction progress.
- Microsoft Azure: Added support for enabling or disabling discovery of Azure SQL Server and SharePoint Online.
- Oracle EBS: Effective RF Binding entities now have a Menu Names attribute.
- Redactable Attributes for Workday and Active Directory: Administrators can now specify a list of properties to ignore and mark as REDACTED when configuring these integrations.
- Salesforce: Added support for SFDC Product objects (requires object read permission for the integration)
- ServiceNow: Added support for extracting specified custom attributes for ServiceNow users. Veza now automatically discovers the Employee Number and Source attributes.
Product Design and Usability
- Team Navigation: Users can now switch their active team using a dropdown menu on the main Veza navigation. The Profile menu and team selector are now accessible by clicking on your user name at the bottom left.
- Dashboards: You can now collapse the Dashboard selection menu.
- Enrichment Rules: When adding an enrichment rule to identify NHI entities, privileged roles, or critical resources, you can now click Edit to view the query parameters and the latest results. Clicking a rule name on the Integrations > Enrichment Rules page also now opens the related query to view details or make changes.
- Lifecycle Management: The Activity Log now includes summaries of Policy actions and can be sorted and filtered by event start time.
- Query Builder: Most relevant tags now appear first when searching for tags.
- Access Reviews – Effective Permissions Visualization:
The reviewer interface now offers better visualization of effective permissions, clarifying functional capabilities of each row. (C) create, (R) read, (W) write, (D) delete and (M) metadata permissions are now shown in a condensed and color-coded Permissions column (currently available in Early Access).
Access Reviews – Quick Filters: Reviewers can now quickly apply filters to any visible column using a new dropdown menu in the table header. Column actions include the options to sort, group by, or hide the field (currently available in Early Access).